Comments (8)
No idea, never needed this.
from lupa.
skorokithakis, I recommend you look into my HardLupa project. It's for exactly this type of thing, and runs code with a stripped down set of libraries in a separate process. It's still in early development, so it doesn't have timeouts built in yet, but it does have placeholders for where they will be implemented. If you're up for it, it probably won't be too hard to do that little patch yourself! I'd certainly pull any changes to that effect.
from lupa.
You likely also want to use this if what you're after is a sandbox:
https://github.com/scoder/lupa#restricting-lua-access-to-python-objects
from lupa.
@campadrenalin, thanks for that, it looks ideal. C is not my strong suit, but I'll have a look and see if I can do something about it. Right now I just use the resource module, limiting CPU and RAM, but it kills the Python process if the limits get exceeded, so it's not very graceful.
@scoder Thanks, the project doesn't really have to access any Python objects (I remove them from the sandbox) but I implemented that just in case. Do you know if it's possible to execute bytecode with Lupa? I'd hate to have a vulnerability that way...
from lupa.
Thanks, scoder! While I wasn't planning on supporting anything fancier than raw values, this is a necessity if I ever extend it to do so.
from lupa.
I would really need this. What's the odds this will require a separate thread running Lua?
from lupa.
Fairly low, but that's just a guess. Threads never work for these things. I would expect Lua to support something like this somehow, at least within limits. This looks relevant at first sight, for example:
http://lua-users.org/lists/lua-l/2006-10/msg00758.html
A quick web search should bring more answers. If you want full safety and control, only a separate process can give you that, which you can kill at any time.
from lupa.
The feature originally requested can be achieved using the count parameter of debug.sethook
. (One could check the clock time every so often, or just bound the total number of instructions allowed in the sandbox.)
There are two issues, however:
- AFAICT there's nothing the hook function could do do interrupt the Lua interpreter other than raising a Lua error or a Python exception. Therefore, the sandboxing only works if
pcall
andxpcall
are hidden from the user. This could be fixed in lupa, by providing a suitable method to stop the interpreter. - The debug hook is not inherited by coroutines, so care needs to be taken with the the
coroutine
table: either exclude it from the sandboxed environment, or patch the coroutine creation functions... Perhaps there is some other better approach.
What do you think about the first point?
from lupa.
Related Issues (20)
- lupa 2.0 is missing wheels for Python 3.12 HOT 4
- Error loading C modules in 2.x HOT 6
- Expose Lua load arguments (mode and chunkname) HOT 9
- Identity of wrapped Lua objects
- Deadlock involving __dealloc__ HOT 3
- [Feature Request] Async Overhaul
- [Feature Request] Expose Guts for better fine control.
- Ship Lua 5.1 with default lupa installation HOT 3
- pip install lupa fails on Windows HOT 2
- Terra HOT 1
- question: using python functions on lua tables HOT 2
- error lupa.lua54.LuaSyntaxError:
- Can Chinese name function functions be supported?
- Can't install lupa using pip HOT 3
- lua51 missing HOT 1
- 2.1 `pip install --upgrade lupa` not enough, `--force-reinstall` was needed HOT 4
- Unable to Import 'lua-utf8' in LuaJIT HOT 1
- 2.1: pytest fails in `lupa/tests/test.py::TestOverflowMixin::test_no_overflow` unit HOT 8
- Cython error: Lua "undeclared name not builtin: long" HOT 2
- 'popen' not supported
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from lupa.